Why email is at risk of becoming a security blindspot for IT leaders

Rick Goud, Founder & CIO of Zivver shares why email is at risk of becoming a security blindspot for IT leaders

As AI takes centre stage in 2025, businesses and employees are flooded with innovative applications and productivity tools. Yet, despite this technological surge, email remains the backbone of workplace communication across industries—used for everything from casual exchanges to sharing sensitive documents. In fact, our research shows that more than 90% of employees still consider email ‘important’ or ‘very important’ to their daily work.

However, as our digital and cybersecurity landscape evolves, there is a risk that email – while still an essential channel – is being left behind. Our latest report points to an emerging gap between the perceived risk of using email and the reality “on the ground” for security and risk management teams. While IT leaders are understandably focused on inbound threats such as phishing attacks, which 47% rank as their top concern, two-thirds admit that outbound security breaches – often caused by innocent human mistakes – contribute more to incidents of data loss. With many businesses taking email for granted, there is now a very real risk that the channel is becoming a security blindspot. 

This poses problems not just in terms of the actual vulnerabilities, but also for compliance. From NIS2 and GDPR in the EU to CCPA in the US, as well as industry-specific regulations like HIPAA in healthcare and global standards such as ISO/IEC 27001, which require email security to be considered as part of a broader risk management strategy, organisations are facing an uphill battle if they don’t prioritise email security. Only 73% of employees are aware of their organisation’s email security policies, and just over half (52%) adhere to them day-to-day. This suggests two things: organisations need to get better at devising and communicating their email security policies, and employees need more support – in the form of new tools and technologies – to make those policies easier to follow. 

Why Email Should Be High on the Security Agenda

Email may seem like a familiar and safe channel, but while businesses continue to use email in the way they always have, the threat landscape has matured significantly. AI-driven attacks are making phishing and ransomware increasingly deceptive, with techniques like payloadless phishing allowing attackers to impersonate trusted contacts and manipulate recipients into revealing sensitive information – all without deploying traditional malware. While inbound attacks like this dominate headlines for their sinister and coordinated nature, a significant blind spot lies within organisations, where accidental missteps can be just as damaging as a deliberate attack. Outbound threats – such as emails sent to the wrong recipient, accidental sharing of sensitive data, or files attached without proper encryption – are equally, if not more, pervasive. This creates a dual threat, which combines both external threats and internal vulnerabilities, underlining the need for a more holistic and integrated approach to email security.

What makes outbound threats particularly challenging is their devolved nature and unexpected human behaviour. Even the most diligent employees can – and do – make honest mistakes, often under pressure or through simple oversight. More than half of employees admit to making email mistakes at least once every few months, with 30% saying they make errors on an almost weekly basis. The report delves deeper: sending the wrong email attachment is the most common email error (33%), followed by emailing the wrong person (32%), using CC or BCC incorrectly (20%), using personal email for work (19%), and, finally, clicking on illegitimate links or attachments (17%). 

Email deserves more attention because it is extremely vulnerable to outbound risks as well as being among the top vectors for inbound attacks. This is backed up by the UK’s Information Commissioner’s Officer (ICO) who revealed that, in 2024, data leaks caused by human error – such as misaddressed emails – posed the single greatest threat among all cybersecurity incidents. 

Training, Policy Enforcement, and Finding the Right Tools

The gap between perceived risk and reality faced by security teams is something that most IT leaders are now acutely aware of. Artificial intelligence is increasingly being used to detect anomalies, flag potential threats, and provide real-time alerts to prevent security breaches. However, the focus of many of these solutions is skewed toward inbound threats, and attackers themselves are also using the same technology to create more nuanced, targeted criminal campaigns. This has led many IT leaders to question the pace of innovation from traditional security vendors. Our report found that more than two-thirds (67%) of IT leaders believe vendors are not innovating fast enough to address emerging risks, including outbound vulnerabilities that can lead to data loss and exposure. A majority (67%) of those surveyed also agreed that “Outbound email security doesn’t get much attention beyond compliance, but it is the silent security killer. Sometimes we focus more on perceived risks rather than actual threat realities when it comes to email security.”

Compounding this is the rise of hybrid and remote working environments, which introduce new vulnerabilities as employees work across multiple devices and networks. This makes even the most diligently designed email security policies difficult to enforce, leaving employees shouldering the burden of responsibility when it comes to outbound email vulnerabilities. With email remaining central to communication, this highlights the urgent need for a balanced approach—one that combines technological innovation with ongoing education and awareness to tackle both technical and human vulnerabilities effectively.

An Approach to Email Security Fit for 2025

The path to robust email security lies in a multi-faceted approach that addresses both human and technical vulnerabilities. For organisations, this starts with fostering a culture of security awareness. Training programs must go beyond the basics, equipping employees with the skills to recognise not only phishing attempts but also the risks associated with outbound email errors. Clear communication of security policies is equally vital, ensuring that employees understand the “why” behind the rules and feel empowered to follow them. Less than three-quarters of employees are aware of their organisation’s email security policies, and adherence remains a challenge – highlighting a critical area for improvement.

Technology holds the key. Instead of focusing solely on inbound threats, organisations must invest in solutions geared toward outbound risks that integrate seamlessly with daily workflows, striking the right balance between usability and security. Integrated AI tools can offer real-time guidance to employees, alerting them to potential errors before they occur. Attachments can be flagged as sensitive, recipients can be automatically checked in real-time based on the content of the email, and emails can be recalled if they are still sent accidentally. This level of automation makes it easy for employees to avoid potentially costly mistakes, empowering them to use email safely while adhering to security policies and compliance obligations. 

By adopting technologies that proactively address human error, by supporting employees instead of penalising them, organisations can close the gap between perceived and actual risks, making email a secure and reliable communication channel fit for 2025 and beyond.